Optimal counterfeiting attacks and generalizations for 
Wiesner 's quantum money 



Abel Molina,* Thomas Vidick, 1 " and John Watrous" 
February 20, 2012 



Abstract 

We present an analysis of Wiesner 's quantum money scheme, as well as some natural gen- 
eralizations of it, based on semidefinite programming. For Wiesner 's original scheme, it is 
determined that the optimal probability for a counterfeiter to create two copies of a bank note 
from one, where both copies pass the bank's test for validity, is (3/4)" for n being the number 
of qubits used for each note. Generalizations in which other ensembles of states are substituted 
for the one considered by Wiesner are also discussed, including a scheme recently proposed by 
Pastawski, Yao, Jiang, Lukin, and Cirac, as well as schemes based on higher dimensional quan- 
tum systems. In addition, we introduce a variant of Wiesner 's quantum money in which the 
verification protocol for bank notes involves only classical communication with the bank. We 
show that the optimal probability with which a counterfeiter can succeed in two independent 
verification attempts, given access to a single valid M-qubit bank note, is (3/4 + \/2/8) n . We 
also analyze extensions of this variant to higher-dimensional schemes. 

1 Introduction 

Wiesner 's protocol for quantum money |Wie83] was a formative idea in quantum information 
processing. In this protocol, a bank generates a bank note composed of n qubits: each qubit is 
initialized to a state chosen uniformly at random from the set { 1 0) , 1 1 ) , | + ) , | — ) }, and this choice 
of states is kept secret by the bank. The bank can later check the authenticity of a given note 
by performing a measurement on each of its qubits, in accordance with its secret record of their 
original states. (Each bank note is labeled with a unique serial number, so that all of the bank 
notes in circulation may be treated independently.) The security of Wiesner 's scheme rests on the 
principle that quantum states cannot be cloned — that is, a malicious attacker, given access to a 
fixed supply of authentic bank notes, cannot generate a larger quantity of valid bank notes than 
those to which he was initially given access. 

Although Wiesner 's scheme was introduced almost three decades ago, to the best of our 
knowledge no rigorous analysis with explicit bounds on the security of the scheme exists in 
the literature. The intuition that the scheme's security follows from the no-cloning principle 
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appears in ||LSP98|| , and quantitatively one should be able to obtain exponential security guar- 
antees from results such as proofs of the security of the BB84 quantum key exchange proto- 
col lBB84l lSF00l May01[ or of uncloneable encryption [Got02J. In this paper we prove tight bounds 



on the security of Wiesner 's quantum money scheme, through a simple and easily extended argu- 
ment based on semidefinite programming. 

We consider the specific situation in which a counterfeiter, given access to a single authentic 
bank note, attempts to create two bank notes having the same serial number that independently 
pass the bank's test for validity. We will call such attacks simple counterfeiting attacks. Our first 
main result is the following. 

Theorem 1. The optimal simple counterfeiting attack against Wiesner's quantum money scheme has suc- 
cess probability exactly (3/ 4)", where n is the number of qubits in each bank note^ 

Other types of attacks are not analyzed in this paper, but we must note their existence! For in- 
stance, a counterfeiter may attempt to create or copy bank notes through multiple interactions 
with the bank. One simple example of such an attack does not require counterfeiters to possess 
any bank notes to start with: by substituting one of two qubits of a Bell state for each qubit of a 
bank note, a counterfeiter can succeed in passing the bank's test for validity with probability 2~ n , 
and then conditioned on having succeeded the counterfeiter will be guaranteed to hold a second 
valid bank note@ One would therefore expect that the bank would charge a small fee for testing 
validity, or perhaps alert the authorities when an individual repeatedly makes failed attempts to 
validate bank notes, for otherwise counterfeiters have a very small but positive incentive to attack 
the protocol. Generally speaking, an analysis of attacks of this nature would seem to require a 
limit on the number of verification attempts permitted, or the specification of a utility function 
that weighs the potential gain from counterfeiting against the costs for multiple verifications. We 
expect that the semidefinite programming method used to prove Theorem [T] would be useful for 
analyzing such attacks, but we leave this as a problem for interested readers to consider. 

We also consider simple counterfeiting strategies against quantum money schemes that gen- 
eralize Wiesner's original scheme. These are the schemes obtained by varying the set of possible 
states that a quantum bank note may store, as well as the underlying probabilities for those states. 
We show that there is a scheme based on the repetition of a 4-state single-qubit scheme (i.e., having 
the same structure as Wiesner's) for which the optimal simple counterfeiting attack has success 
probability (2/3)", which is optimal among all schemes of that form. Furthermore, we show that 
any money scheme based on the use of d-dimensional bank notes is subject to a simple counter- 
feiting attack with success probability at least 2/ (d + 1), and we describe a scheme for which this 
is the best one can do. 

One drawback of Wiesner's money scheme is that, not only does it involve communicating 
with a centralized bank in order to establish the authenticity of a given bank noteB but it also re- 
quires quantum communication: bills have to be sent to the bank for verification. Gavinsky flGavlH 
recently introduced an alternative scheme in which bills can be authenticated using only classical 
communication with the bank. 



1 Wiesner | Wie83 1 in fact arrived at a similar bound, but through a not-so-rigorous argument! 

2 Lutomirski |LutlO| considered a related scenario where the bank kindly provides counterfeiters with access to a 
bank note's post-measurement qubits, regardless of whether validity was established. He proved that O(n) verification 
attempts are sufficient to break the protocol in this setting. 

3 There has also been work in recent years on creating quantum money schemes that do not require any com- 
muni cation with the ban k in order to verify a bank note, but this is only possible under computational assump- 
tions lFGH+10llLAF+10llAar09l . 
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We consider the following procedure for classical verification of an n-qubit bank note, con- 
structed as in Wiesner's scheme. The bank sends the user a random challenge c G {0,1}". An 
honest user should measure the z'-th qubit in the computational basis if Cj = 0, or in the Hadamard 
basis if c; = 1, and send the measurement outcomes b G {0,1}" to the bank. The bank vali- 
dates the bank note if and only if whenever c\ corresponded to the basis in which qubit i was 
encoded, b\ describes the correct outcome. (A similar scheme was independently introduced re- 



cently in | PYJ + ll[ .) In this setting, a simple counterfeiting attack is one in which a counterfeiter tries 



to succeed in two independent authentications with the bank, given access to a single valid bank 
note. Our second main result is the following. 

Theorem 2. For the classical-verification analogue of Wiesner's quantum money scheme, the optimal sim- 
ple counterfeiting attack has success probability exactly (3/4 + y/2/8) ,for n being the number of qubits 
in each bank note. 

As for Theorem [TJ our proof of Theorem [2] follows from the use of semidefinite programming 
techniques. In addition we show that, contrary to the quantum- verification setting, Wiesner's 
scheme is optimal as long as one considers only qubits: either changing the bases used to encode 
each qubit or increasing the number of possible bases will not improve the scheme's security 
against simple counterfeiting attacks. We also consider a natural generalization of this scheme to 
bank notes made of rf-dimensional qudits, and prove that the optimal simple counterfeiting attack 
against it has success probability exactly (3/ 4 + 1/ (4v d)) n . 



Related work. The no-cloning theorem [WZ82J states that there is no perfect quantum cloning 
machine. This impossibility result relies on two assumptions: that we are trying to clone all pos- 
sible states (of a given dimension), and that we are trying to do so perfectly. Relaxing either or 
both assumptions opens the way for a fruitful exploration of the possibility of approximate cloning 
machines. Most work in this area focuses on obtaining universal doners — required to work for all 
possible input states — but that may not be perfect. 

To quantify the quality of a doner one has to settle on a figure of merit. Two main figures 
have been considered: the minimum (or, alternately, the average) overlap between one of the two 
output clones with the input state, or the joint overlap of both output clones with a tensor product 
of the input state with itself^ Buzek and Hillery [BH96J determined the optimal universal qubit 
doner in the first case, while Werner |Wer98J solved the general problem with respect to the second 
figure of merit. 

In the setting of quantum money, however, the first assumption is also relaxed: a counterfeiter 
only needs to be successful in cloning the specific states that are used to create the bank notes. 
Work in this direction includes that of Brufi et al. [BCDM00J, who determined the optimal doner 
for the states used in Wiesner's original money scheme, and for the first figure of merit discussed 
above. While in this work we consider the second figure of merit, which is the one appropriate to 
the context of quantum money, our results can easily be extended to the first. 

We use a semidefinite programming formulation of the problem, in which one can numer- 
ically determine the success probability of an optimal doner, given any desired possible set of 
input states and underlying distribution. The connection between cloning of quantum states and 
semidefinite programming was observed by Audenaert and De Moor [ADM02J, and has been 
used in the study of cloning by other researchers. (See, for instance, the survey of Cerf and 

4 In both cases, the specific distance measure used can also be varied. For instance, the trace distance and the Hilbert- 
Schmidt distance on density matrices have been considered. 
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Fiurasek [CF06J.) The formulation that we use is closely related to one used in |MW11| , and 
can also be seen as a special case of a semidefinite programming framework for more general 
quantum strategies developed in MGW07|| . 

Recent work of Pastawski et al. | FYJ + 11 1 contains an analysis of a 6-state variant of Wiesner's 
money scheme, obtaining a tight bound of (2/3)" on optimal simple counterfeiting attacks. In 
addition, they show that the scheme can be made error-tolerant — the bank will accept a bank 
note as long as say 99% of the qubit measurements are correct, allowing for the money state to be 
slightly perturbed and still undergo a successful authentication]! They also consider a classical- 
verification variant of the scheme that is similar to (but somewhat less efficient than) the one we 
propose, obtaining exponential security guarantees. 

Other works consider more general counterfeiting attacks than we do, and develop techniques 
that may be useful to extend our own results. In particular, Aaronson and Christiano |AC12| re- 
duce security against general m i— > m + 1 doners (given m copies of a bank note, produce m + 1 
quantum states that will be simultaneously accepted by the bank's verification procedure) to se- 
curity against simple counterfeiting attacks of the type we consider (attackers on their "mini- 
schemes"). Pastawski et al. ]PYJ + 11 [ show that auxiliary access to the bank's verification proce- 
dure does not help, provided the only information returned by the bank is a single bit, indicating 
success or failure. Indeed, intuitively this situation may be reduced to one in which the doner has 
no access to such a verification oracle simply by guessing: because most attempts in verification 
will result in failure (otherwise we would already have a successful doner), the bits returned do 
not contain much information. 



Organization of the paper. We start with some preliminaries on quantum information theory 
and semidefinite programming in Section|2l Section [3] contains our results on Wiesner's quantum 
money scheme and generalizations, while SectionH] describes our results on schemes with classical 
verification procedure. 



2 Preliminaries 

We assume the reader is familiar with the basics of quantum information theory, and suggest 
Nielsen and Chuang [NCOOJ to those who are not. The purpose of this section is to summarize 
some of the notation and basic concepts we make use of, and to highlight a couple of concepts 
that may be less familiar to some readers. The lecture notes |Watll| may be helpful to readers 
interested in further details on these topics. 

2.1 Basic notation, states, measurements and channels 

For any finite-dimensional complex Hilbert space X we write L (X) to denote the set of linear 
operators acting on X , Herm (X) to denote the set of Hermitian operators acting on X, Pos (X) to 
denote the set of positive semidefinite operators acting on X, Pd (X) to denote the set of positive 
definite operators acting on X, and D (X) to denote the set of density operators acting on X. For 
Hermitian operators A, B G Herm (A") the notations A > B and B < A indicate that A — B is 
positive semidefinite, and the notations A > B and B < A indicate that A — B is positive definite. 

Given operators A,B G L one defines the inner product between A and B as (A, B) = 
Tr(A*B). For Hermitian operators A, B £ Herm (A") it holds that (A,B) is a real number and 

5 Our analysis can also be extended to this setting; see Section [3~4l for more details. 
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satisfies (A,B) = (B,A). For every choice of finite-dimensional complex Hilbert spaces X and 
y, and for a given linear mapping of the form O : L (X) — » L (y), there is a unique mapping 
O* :L(y) -> L(Af) (known as the <wf/omt of O) that satisfies (Y,0(X)) = (0*(Y),X) for all 
X G L(#) andY G L(^). 

A register is a hypothetical device that stores quantum information. Associated with a register 
X is a finite-dimensional complex Hilbert space X , and each quantum state of X is described by 
a density operator p 6 D (X). Qubits are registers for which dim(A") = 2. A measurement of X 
is described by a set of positive semidefinite operators {P a : a G E} C Pos (X), indexed by a 
finite non-empty set of measurement outcomes E, and satisfying the constraint I^hge Pa = ^x (the 
identity operator on X). If such a measurement is performed on X while it is in the state p, each 
outcome a G E is obtained with probability (P a , p) . A quantum channel is a completely positive 
and trace-preserving linear mapping of the form O : L (X) — » L (y) that describes a hypothetical 
physical process that transforms each state p of a register X into the state O(p) of another register 
Y. The identity channel that does nothing to a register X is denoted Ti-ux)- 

2.2 Linear mappings on spaces of operators 

Suppose dim(A') = d and assume that a fixed orthonormal basis {|1) ,. . ., \d}} of X has been 
selected. With respect to this basis, one defines the Choi-Jamiolkowski operator /(O) G L (y <g> X ) 
of a linear mapping <I> : L (X) — > L (y) as 



The mapping / is a linear bijection from the space of mappings of the form O : L (X) — > L (y) to 
L (y <g> X). It is well-known that O is completely positive if and only if J(O) G Pos (3^ <8> X), and 
that O is trace-preserving if and only if Try (/(<!>)) = \x |Cho75l [Jam72| . It is also well-known, 
and easy to verify, that 



for any choice of vectors G X and |</>) G y , with complex conjugation taken with respect to 
the standard basis. 

2.3 Semidefinite programming 

Semidefinite programming is a topic that has found several interesting applications within quan- 
tum computing and quantum information theory in recent years. Here, we provide just a brief 
summary of semidefinite programming that is focused on the narrow aspects of it that we use. 
More comprehensive discussions can be found in HVB96I ILov03l ldK02l IBV 04 1 , for instance. 
A semidefinite program is a triple (<&, A, B), where 

1. <£> : L (X) — >L(3^)isa Hermiticity-preserving linear mapping, and 

2. A G Herm (X) and B G Herm (y) are Hermitian operators, 

for some choice of finite-dimensional complex Hilbert spaces X and y. We associate with the 
triple (O, A, B) two optimization problems, called the primal and dual problems, as follows: 



/(*)= E </D® 10 </1- 



l<i,j<d 




(1) 



Primal problem 



Dual problem 



maximize: {A, X) 
subject to: O(X) = B, 

X G Pos (X) . 



minimize: (£>, Y) 
subject to: 0>*(Y) > A, 

Y G Herm (y) . 
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The optimal primal value of this semidefinite program is 

ol = sup{(A, X) : X G Pos (X) , O(X) = £>}, 

and the optimal dual value is 

B = inf{(£>, Y) : Y G Herm (y) , <D*(Y) > A}. 

(It is to be understood that the supremum over an empty set is — oo and the infimum over an 
empty set is oo, so a and B are well-defined values in R U {— oo, oo}. In this paper, however, we 
will only consider semidefinite programs for which ol and B are finite.) 

It always holds that ol < B, which is a fact known as weak duality. The condition a — B, which 
is known as strong duality, does not hold for every semidefinite program, but there are simple 
conditions known under which it does hold. The following theorem provides one such condition 
(that has both a primal and dual form). 

Theorem 3 (Slater's theorem for semidefinite programs). Let (<&, A, B) be a semidefinite program and 
let a and B be its optimal primal and dual values. 

1. If ' B is finite and there exists a positive definite operator X G Pd (X)for which <E>(X) = B, then a = B 
and there exists an operator Y G Herm (3^) such that <E>* (Y) > A and (£>, Y) = B. 

2. If a is finite and there exists a Hermitian operator Y G Herm (y) for which <I>*(Y) > A, then ol = B 
and there exists a positive semidefinite operator X G Pos (X) such that O(X) = B and {A, X) = ol. 

In words, the first item of this theorem states that if the dual problem is feasible and the primal 
problem is strictly feasible, then strong duality holds and the optimal dual solution is achievable. 
The second item is similar, with the roles of the primal and dual problems reversed. 

3 Wiesner's quantum money and simple generalizations 

Wiesner's quantum money scheme, and straightforward generalizations of it, may be modeled 
in the following way. An ensemble of pure quantum states £ = {(pk, Itfk)) '■ k = 1,. . . ,N} is 
fixed, and assumed to be known to all (including any would-be counterfeiters). When preparing 
a bank note, the bank randomly selects a key k G {1, . . . , N} with probability pk- The bank note's 
quantum system is initialized to the state | xpk), and the note is labeled by a unique serial number. 
The bank records the serial number along with the secret key k. 

When an individual wishes to verify a bank note, she brings it to the bank. The bank looks 
up the key k and measures the note's quantum state with respect to the projective measurement 
{n,l — n},forn = \ipk) (ipk\- The measurement outcome associated with n causes the bank note 
to be declared valid, while the outcome associated with 1 — n causes the bank note to be declared 
invalid. 

A simple counterfeiting attack against a scheme of the form just described attempts to create 
two copies of a bank note from one, and is considered to be successful if both copies indepen- 
dently pass the bank's verification procedure. We take the original bank note's quantum state to 
be stored in a register X having associated Hilbert space X . The registers storing the quantum 
states corresponding to the two copies of the bank note produced by a would-be counterfeiter will 
be called Y and Z. The Hilbert spaces y and Z associated with these registers are taken to be 
isomorphic to X, but will retain distinct names for the sake of our analysis. 
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Mathematically speaking, a simple counterfeiting attack is described by a quantum channel <I> 
transforming X to (Y, Z), taking the state p G D (X) to the state <E>(p) e D (y <g> Z). In order to be 
physically realizable, at least in an idealized sense, the channel O must correspond to a completely 
positive and trace preserving linear mapping of the form O : L (X) L (y (g> Z). Conditioned on 
the bank having chosen the key k, the probability of success for an attack described by O is given 
by (ipk <g) ipk \ <£>(\rpk) {ipk\) I </>/<: ® '/'it)- Averaging over the possible choices of k, the overall success 
probability of a counterfeiting attack is 

N 

Y^Pk(yk®yk\®{\ipk) (tfttl) IfltOflfc). (2) 
fc=l 

3.1 An SDP formulation of simple counterfeiting attacks 

We now describe how the optimal success probability of a counterfeiting strategy, which is rep- 
resented by the supremum of the probability (O over all valid channels O : L (X) — > L (y (g> Z), 
may be represented by a semidefinite program. A similar semidefinite programming formulation 
may be found in II ADM021 ICF061 IM W 1 1 II . for instance. 

The formulation makes use of the Choi-Jamiolkowski representation /(O) of a given channel 
O, as described in Section [2j Combining the characterization of all such representations that cor- 
respond to quantum channels given there together with (HJ and the expression ((2J), it is not hard 
to see that the optimal success probability of any simple counterfeiting strategy is given by the 
following semidefinite program: 

Primal problem Dual problem 

maximize: (Q, X) minimize: Tr(Y) 

subject to: Try^ z (X) = \ x subject to: ly®z ® ^ > Q 

X e Pos (y®Z® X) YGHerm(A') 

where 

N 

k=l 

(The dual problem is obtained from the primal problem in a routine way, as described in Section|2j) 
Because the primal and dual problems are both strictly feasible (as follows by taking X and Y 
to be appropriately chosen multiples of the identity, for example), it follows from Theorem [3] that 
the optimal values for the primal and dual problems are always equal, and are both achieved by 
feasible choices for X and Y. 

3.2 Analysis of Wiesner's original scheme (single-qubit case) 

To analyze Wiesner's original quantum money scheme, we begin by considering the single-qubit 
(or n = 1) case. The analysis of the scheme for arbitrary values of n will follow from known results 
concerning product properties of semidefinite programs, as is described later in Section [3~4l 
In the single-qubit case, Wiesner 's quantum money scheme corresponds to the ensemble 
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which yields the operator 



Q = i (|000)(000| 



|111) <111 1 + |+ + +) 



+ + + 



-)(- 



in the semidefinite programming formulation described above. We claim that the optimal value of 
the semidefinite program in this case is equal to 3/ 4. To prove this claim, it is sufficient to exhibit 
explicit primal and dual feasible solutions achieving the value 3/4. For the primal problem, the 
value 3/4 is obtained by the solution X = /(O), for O being the channel 



O(p) = A pA* + AxpAl, 



where 



Ar 



/3 





1 
1 

0/ 



and 





(0 


A 


1 


1 







1 









3/ 



For the dual problem, the value 3/4 is obtained by the solution Y 
be verified by computing || Q || =3/8. 



whose feasibility may 



3.3 Optimal single-qubit schemes 

It is natural to ask if the security of Wiesner 's original scheme can be improved through the selec- 
tion of a different ensemble £ in place of the one considered in the previous section. The answer 
is "yes," as follows from our analysis of Wiesner 's original scheme together with the results of 
| PYJ + 11| , wherein the authors consider the ensemble 



£ 



{(h\o))>(h\i))>(h\+))>(h\-))>{h 



The operator Q that one obtains is given by 

c= 1 



rank(IT) 



L(y) ® \(z) 



iq)+'|i; 

V2 



t (n) 



1 |0)-i|l) 
6' V2 



(3) 



for IT being the projection onto the symmetric subspace of y ® Z ® X and T being the transposi- 
tion mapping with respect to the standard basis of X . 

The optimal value of the corresponding semidefinite program is 2/3. Indeed, a primal feasible 
solution achieving the value 2/3 is given by X = /(<&) for O being the channel 



O(p) = A pA* + A\pA\, 



where 



1 

75 



f 2 






i 
i 

0/ 



and 



A^ 







°\ 


1 


1 





n 


1 









V 



(This channel is the optimal qubit doner of Buzek and Hillery |BH96|. ) A dual feasible solution 
achieving the bound 2/3 is given by Y = \\x (with this solution's feasibility following from a 
calculation of || Q|| =1/3). 
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It is interesting to note that the same bound 2/3 can be obtained by a four-state ensemble 

^ = {(i|Tl)) / (i|T 2 )) / (|,|T 3 )) / (i / |T 4 ))} / 

where { |ti) , . . . IT4) } are any four states forming a single qubit SIC-POVM [RBKSC04J. The oper- 
ator Q corresponding to any such ensemble is identical to the one © from the six-state ensemble 
above, and therefore yields the same optimal value for the semidefinite program. 

The schemes just mentioned are the best possible single qubit schemes. To see this, one may 
simply consider the performance of O (i.,e., the Buzek-Hillery doner), for which it follows by a 
direct calculation that 

(V®^|0(|^> (VI) = 3 

for every state \xp). This shows that the optimal primal value, and therefore the optimal counter- 
feiting probability, is always at least 2/3. 

3.4 Parallel repetitions of generalized Wiesner schemes 

Wiesner 's original scheme may be viewed as the n-fold parallel repetition of a scheme wherein the 
spaces X , y , and Z each represent a single qubit, and where the initial state of each bank note is a 
state chosen uniformly from the set {|0),|1),| + ),| — )}. That is, the preparation and verification 
of each n-qubit bank note is, from the bank's perspective, equivalent to the independent preparation 
and verification of n single-qubit bank notes; and a successful counterfeiting attack is equivalent 
to a successful counterfeiting attack against all n of the single-qubit notes. The value of n plays the 
role of a security parameter, given that it becomes increasingly hard to successfully counterfeit n 
single-qubit bank notes in a row, without failure, as n grows large. 

Now, there is nothing that forces a counterfeiter to attempt to counterfeit an n-qubit bank note 
by treating each of its n qubits independently. However, it is easily concluded from the semidefi- 
nite programming formulation above that a counterfeiter gains no advantage whatsoever by cor- 
relating multiple qubits during an attack. This, in fact, is true for arbitrary choices of the ensemble 
E, as follows from a general result of Mittal and Szegedy [MS07J regarding product properties of 
some semidefinite programs. (In our case, this property follows from the fact that the operator Q 
defining the objective function in the primal problem is always positive semidefinite.) 

In greater detail, let us consider the n-fold repetition of a scheme, in which a single repetition 
of the scheme gives rise to a semidefinite program determined by Q G Pos (y ® Z <8> X). Let us 
write Xj, y^, and Z; to denote copies of the spaces X, y, and Z that represent the j-th repetition 
of the scheme, for ; = 1, . . . , n, and let us write X m = X x ® • • • ® X n , y m = y x ® • • • ® y n , and 
Z® n = Z\ ® • • • ® Z n . The semidefinite program that describes the optimal simple counterfeiting 
attack probability for the n-fold repetition is as follows: 

Primal problem Dual problem 

maximize: < W n (Q m ) W*, X) minimize: Tr(Y) 

subject to: Try0« £®«(X) = \x m subject to: tym^z®" ® Y > W n (Q® n )W* 
X G Pos {y m ® Z m ® X® n ) Y G Herm (X® n ) 

In this semidefinite program, W n is a unitary operator representing a permutation of Hilbert 
spaces: 

W n |(yx ®z x ® x\) ® • • • ® (y„ ® z„ ® x n )) 

= |(yi ® • • • ® y„) ® (zx ® • • • ® z„) ® (xi ® • • • ® x n )) , 
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for all choices of \xt) G X\, |y/) G 3^// and \zt) G -2"/, for = 1, . . . , n. 

If the optimal value of the semidefinite program is a in the single-repetition case, then the 
optimal value of the semidefinite program for the n-fold repetition case is necessarily a". This 
may be proved by considering the primal and dual solutions X = W n (X-[ (g> • • • <g) X„)W* and 
Y = Y\ <g> • • • ® Y n , for Xi, ...,X n being optimal primal solutions and Y\, . . . ,Y n being optimal dual 
solutions for the single-repetition semidefinite program. The values obtained by these solutions 
are both a" . Primal feasibility of X is straightforward, while dual feasibility of Y follows from the 
fact that A > B > implies A m > B m for all positive semidefinite A and B. 



3.5 Threshold results 



One may also consider noise-tolerant variants of Wiesner's scheme, as was done in |PYJ + 11 1. In 
the setting discussed in the previous subsection where n repetitions of a particular scheme are 
performed, we may suppose that the bank's verification procedure declares a bank note valid 
whenever at least t out of n repetitions succeed, for some choice of t < n, as opposed to requiring 
that all n repetitions succeed. 

One might hope that a similar analysis to the one in the previous subsection will lead to an 
optimal counterfeiting probability of 



t<j<n 



£ (4) 



for such a scheme, for oc being the optimal counterfeiting probability for a single repetition. This 
is the probability of successful counterfeiting when each repetition is attacked independently. In 
general, however, this bound may not be correct: the main result of [MW11J demonstrates a re- 
lated setting in which an analogous bound does not hold, and explains the obstacle to obtaining 
such a bound in general. However, for some schemes, including Wiesner's original scheme and 
all of the other specific schemes (including the classical verification ones in Section |4~2)| discussed 
in this paper, this bound will be correct. Letting d = dim X , the specific assumptions that we 
require to obtain the bound © are that 

N j 

EPJfc|^X*tl = 3l/ (5) 

jfc=l a 

and that Y = ^1^- is an optimal dual solution to the single-repetition semidefinite program (from 
which it follows ||Q|| = j). 

To prove that these requirements are sufficient, let us introduce the following notation. We will 
write Qi in place of Q to denote the operator that specifies the semidefinite program representing 
a successful counterfeiting attack, and we will also define 

N 

Qo = E Pk flbaz - \ipk®ipk) {$k®ipk\) ® |W) (W| * 

k=l 

which has a complementary relationship to Q\; it represents a failure to counterfeit in a given 
repetition. The semidefinite program describing the optimal counterfeiting probability for the n- 
fold repetition scheme, where successes in t repetitions are required for a validation, is then as 
follows: 
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Primal problem 



Dual problem 



maximize: {W n RW*,X) 
subject to: Trym^zm (X) = 1#® B 

X G Pos (y m ® Z " ® A"®") 



minimize: Tr(Y) 

Subject to: lym®z® n (g> Y > Wtj-RW* 

Y G Herm (AT®") 



where 



R = E Q«i ® • • • ® Q«»- 



a 1 ,...,a n e{0,l} 
tt\-\ l-fl„>t 



To prove that the optimal value of this semidefinite program is given by the expression 0$, 
it suffices to exhibit primal and dual feasible solutions achieving this value. As for the standard 
n-fold repetition case described in the previous subsection, it holds that X = W n (X\ (g> • • • X n ) W* 
is a primal feasible solution that achieves the desired value, where again X^ , . . . , X n are optimal 
primal solutions to the single-repetition semidefinite program. (This solution simply corresponds 
to an attacker operating independently and optimally in each repetition.) For the dual problem, 
we take 



which is clearly dual-feasible. The condition (0 implies that Qo = ^ly®^®^ — Q\> an d a consid- 
eration of spectral decompositions of the commuting operators Qo and Qi reveals that 



which establishes the required bound. 

3.6 Optimal schemes in higher dimensions 

We have observed that the best single-qubit variant of Wiesner's quantum money scheme has an 
optimal counterfeiting probability of 2/3, and we know that the n-fold parallel repetition of this 
scheme has an optimal counterfeiting probability of (2/3)". Thus, bank notes storing a quantum 
state of dimension d = 2" can have an optimal counterfeiting probability of (2/3)". It is natural to 
ask whether one can do better, using a scheme that is not given by the n-fold parallel repetition of 
a single qubit scheme. 

The answer is that there are better schemes (provided n > 1). More generally, for every d rep- 
resenting the dimension of the state stored by a quantum bank note, there exist schemes whose 
optimal counterfeiting probability is equal to 2/ (d + 1), which is the best that is possible: Werner's 
quantum cloning map |Wer98] will always succeed in counterfeiting any quantum bank note of di- 
mension d with probability 2/ (d + 1). The following proposition shows that there exists a scheme 
that matches this bound in all dimensions d. 

Proposition 4. Let E = {p; c , |i/>/t)} be any ensemble of d-dimensional states for which the operator 



Y = IIRII 1 



X<an, 




N 



k=l 



is given by 




(6) 
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where T is the transposition mapping with respect to the standard basis of C d and n is the orthogonal 
projector on the symmetric subspace ofC d ® C d <g> C . Then no simple counterfeiting strategy can succeed 
against the money scheme derived from £ with probability more than 2/(d + 1). 

Before proving the proposition, we note that any ensemble £ obtained from a complex pro- 
jective (3,3)-design (also known as a quantum 3-design [AE07J) satisfies 1(6]), and thus leads to 
an optimal d-dimensional money scheme. This also suggests that one might obtain more effi- 
cient schemes (i.e., involving less possible states for each part of the note) with security properties 
similar to the ones described here if approximate designs are considered instead. 

Proof of Proposition® Because we are looking for an upper bound on the maximum counterfeit- 
ing probability, it suffices to construct a good feasible solution Y to the dual SDP described in 
Section [37T1 We will choose Y = ||Q||1^-, which is a feasible dual solution with corresponding 
objective value Tr(Y) = d||Q||. We indicate how results from [EW01J may be used to show that 
||Q|| = 2/ (d{d + 1)), proving the proposition. 

The operator Q commutes with all operators of the form LI ® U ® U, where U is any unitary 
acting on C d . In Section VI.A of [EW01 1 it is shown that any such operator can be written as a linear 
combination of six conveniently chosen Hermitian operators S+, S_, So, Si, S2, S3 (for a definition 
see Eqs. (25a)-(25f) of [EWOlJ). For our operator Q we obtain the decomposition 

Q = —h^(ls + + ^(s + s 1 )) > (7) 



rank(TI) V3 



where 



s + = ^- 5p L_j(x + xv + vx + vxv), 

S0 + S1 = -^—(x + xv + vx + vxv), 
a + 1 

V is the operator that permutes the first two registers on which Q acts, and X the partial transpose 
of the operator permuting the last two registers. Moreover, as shown in IEW01I , S + and So are 
mutually orthogonal projections, S0S1 = S1S0 = Si, S+Si = S1S+ = 0, and S\ = So- Hence, the 
decomposition shows that the operator norm of Q satisfies 

IIQII 1 d + 2 2 



rank(n) 3 " d(d + l)' 
asrank(n) = ( d + 2 ). □ 



4 Money schemes with classical verification 

In this section we introduce a natural variant of Wiesner's scheme, as well as higher-dimensional 
generalizations of it, in which the verification is done through classical communication with the 
bank. To distinguish the corresponding bank notes from the ones discussed in the previous sec- 
tion, we will call them fz'cfceisJ! 

6 As we will see, successful verification of a ticket necessarily entails its destruction. This is unavoidable, as shown 
in IGavllI . To avoid this issue one may concatenate many tickets together to create a single bill, that will be able to go 
through as many verification attempts as it contains tickets. 
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4.1 Description of quantum tickets 

A quantum ticket is defined in the same way as a bank note: it is a quantum state \lpk)> where k 
is a secret key kept by the bank, together with a unique serial number. We consider schemes in 
which the classical verification procedure has the following simple form. The user first identifies 
herself to the bank by announcing her ticket's serial number. The bank then sends her a classical 
"challenge" c G C chosen uniformly at random, where C is some fixed finite set. Depending on c, 
an honest user will perform a measurement n c = {Il"} ng ^ on her ticket, and report the outcome a 
to the bank. The bank then looks up the secret key k associated with the user's ticket, and accepts 
a if and only if the triple (a, c, k) falls in a fixed, publicly known set S of valid triplesO 

A simple counterfeiting attack against such a scheme will attempt to use just one quantum 
ticket in order to successfully answer two independent challenges from the bank. Such a counter- 
feiter may be modeled by a collection of POVMs A ClC2 = {A a c \ a c l) aia2 , and its success probability is 

N i 

Ep^E E (fk\A«{%\ip k ), (8) 

fc=l IH c\fii (a 1 ,a 2 ): 

(fli,c 1; fc)eS 

(a 2 ,c 2 ,k)eS 

which is the "classical-verification" analogue of (|2j). By letting registers Y and Z contain the an- 
swers fli and a 2 respectively, and X contain the counterfeiter's input (the state \tp k ) and the two 
challenges C\,c 2 ), the problem of maximizing |(8]) over all possible counterfeiting strategies can be 
cast as a semidefinite program of the same form as the one introduced in Section 13.11 with the 
corresponding operator Q defined as 

N j 

Q=EP^]pj2E E \ a i)\ a 2}\ci,c 2 ,tpk) {a 1 \{a 2 \{c lr c 2 ,xp k \. 

k=l l L l c u c 2 ( ai ,a 2 ): 
{ax,Ci,k)^S 
(a 2 ,c 2 ,k)eS 

Since Q is diagonal on the first 4 registers, without loss of generality an optimal solution X to the 
primal problem will be correspondingly block-diagonal, 

x = E \ a i' a 2,ct,c 2 ) {a 1 ,a 2 ,c 1 ,c 2 \ ®~K\cl> 

a 1 ,a 2 ,c 1 ,c 2 

and the SDP constraints are immediately seen to exactly enforce that {Xc 1 1 c 2 2 }h 1 « 2 i s a POVM for 
every (ci,c 2 ). 

We note that the problem faced by the counterfeiter can be cast as a special instance of the more 
general state discrimination problem. Indeed, the counterfeiter's goal is to distinguish between the 
following: for every pair of possible answers [p.\,a 2 ), there is a mixed state corresponding to the 
mixture over all states \c\) \c 2 ) (Y^) that for which (ai,a 2 ) would be a valid answer. (Each state is 
weighted proportionally to the probability of the pair (c\, c 2 ) of being chosen as challenges by the 
bank, and of |Y; C ) being chosen as a bank note.) As such, the fact that the optimal counterfeiting 
strategy can be cast as a semidefinite program follows from similar formulations for the general 
state discrimination problem (as the ones considered in e.g. |EMV03J). 

7 Vox instance, the bank could accept all "plausible" answers, i.e., all a such that (i/^) II" |^} > 0. This condition 
ensures that honest users are always accepted. 



13 



4.2 Analysis of a simple class of qudit schemes 

We further restrict our attention to a natural class of extensions of the classical-verification variant 
of Wiesner 's scheme described in the introduction. The schemes we consider are parametrized by 
a dimension d and two fixed bases { | e[j ),..., | e° dl ) } and { | e\ ),..., \ e\_ x ) } of C^H Each scheme 
is defined as the n-fold parallel repetition of a basic scheme in which N = 2d, the states \ipn,b)) 
are the \e\ ) for t G {0, . . . , d — 1} and b G {0, 1}, the random challenge is a bit c G {0, 1}, and the 
valid answers are a = t if b = c, and any a if b ^ c. Valid answers may be provided by an honest 
user who measures his ticket in the basis corresponding to c. By writing out the corresponding 
operator Q and constructing a feasible solution to the dual SDP, we show the following lemma, 
from which Theorem [2] follows directly. 

Lemma 5. For every simple counterfeiting attack against the n-qudit classical-verification scheme described 

above, the success probability is at most (| + ^p)", where c = max S/f | \e\ ) | 2 is the effective overlap!! 
If d = 2, there is always a counterfeiting strategy that achieves this bound. 

Proof. We first analyze simple counterfeiting attacks against the basic single-qudit scheme. Note 
that if both challenges from the bank are identical, the counterfeiter can answer both correctly 
with probability 1 by making the appropriate measurement on his qubit. 

By symmetry, it suffices to consider the case where the first challenge is C\ = and the second 
is C2 = 1. In this case the operator Q becomes 

^ d-l 

Q = ^ E I s ) ( s \y ® l f > (*\z ® ( \ e °s) ( e °s\x + I4X4U). 

Z " s,f=0 

For s, f G {0, . . . , d - 1}, let V S/t = | e° s } (e° s \ x + \ e\) (e}\ x . As Q is block-diagonal, the dual SDP is 

minimize: Tr (Y) 

subject to: Y > —V sA (for alls,*) (9) 
Y G Herm (c d ^ . 

V S/t is a rank-2 Hermitian matrix whose eigenvalues are 1 ± |(eg|e|)|. Hence, Y = 1 is a 

feasible solution to the dual problem with objective value (1 + \fc)l1, leading to an upper bound 
on the best counterfeiting strategy with overall success probability at most 3/4 + ^fc/ 4. 

To finish the proof of the upper bound it suffices to note that the SDP has the same parallel 
repetition property as was described in Section l3~4l 

Finally, we show the "moreover" part of the claim. Relabeling the vectors if necessary, assume 
| |ej) | = \fc. Let |«o) be the eigenvector of Vb,o with largest eigenvalue 1 + \fc, and \u\) the 
eigenvector with smallest eigenvalue. Using the observation that | (e® \e\ ) \ = ^fc, it may be checked 
that 

X = |0,0) (0,01 ® |« ) ("o| + 1 1,1) (1/1| ® (hi | 
is a feasible solution to the primal SDP corresponding to (© (as expressed in Section I3.1[) with 
objective value (1 + \fc) /I, proving that the optimum of I© is exactly (1 + \fc)/2. □ 

8 It is easy to see that increasing the number of bases will only result in weaker security: indeed, the more the bases 
the less likely it is that the bank's randomly chosen challenge will match the basis used to encode each qudit. 

9 For any two bases of C d , c > 1/d, and this is achieved for a pair of mutually unbiased bases. This quantity also 
arises naturally in the study of uncertainty relations (see e.g. |TR11 1), of which our result may be seen as giving a special 
form. 
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4.3 A matching lower bound 

Let d be a fixed dimension. We introduce a quantum ticket scheme for which the upper bound 
derived in the previous section is tight. For d = 2 our scheme recovers the one that is derived 
from Wiesner's original quantum money. Let X d and Z d be the generalized Pauli matrices, acting 
as 

Xj : \i) — > \i + 1 mod d) and Z d : \i) — > co l \i) , 
where co = e 2m ^ d . Let F be the quantum Fourier transform over Z d , 

and note that X d = FZ d F f . Let {|e?}} be the basis defined by = (X rf ) f |0) = \t), and {|ej)} 
the Fourier-transformed basis \e}) = F \e®} = {Z^fF |0) for every t. Then 

\{el\e\)\ = \{s\F\t)\ = -L 

for every s,f: the corresponding overlap is c = 1/d. Lemma |5] shows that the optimal doner 
achieves success at most 3/4 + 1/ (4\/d). The following lemma states a matching lower bound. 

Lemma 6. There is a doner for the n-qudit ticket scheme described above which successfully answers both 
challenges with success probability (| + j^j) • 

Proof. We describe a doner that acts independently on each qudit, succeeding with probability 
| + -A= on each qudit0 Let 

\ip) = {2 + 2/Vd)- 1/2 (\0)+F\0)), 

and for every (s, f ) let P S/ t be the rank 1 projector on the unit vector X s d Z d \ \p). As a consequence of 
Schur's lemma, E S/ t \ p s,t = X so that {P s ,t/d} is a POVM. 

The doner proceeds as follows: if the challenge is either 00 or 11, he measures in the corre- 
sponding basis and sends the resulting outcome as answer to both challenges. In this case he is 
always correct. In case the challenge is either 01 or 10, he measures the ticket using the POVM 
{P S/ t/d}, and uses s as answer to the challenge "0" and t as answer to the challenge "1". Because 
the two challenges are distinct, only one of them corresponds to the actual basis in which the ticket 
was encoded. Without loss of generality assume this is the "0" basis, so that the ticket is | e Q s ) = \s). 
The probability that the doner obtains the correct outcome s is 

V T r(P S/f |s)(s|) = ix:|( s |X^^)| 2 



2 



because, for every t, it holds that (0| Z d = co 1 (0|. To conclude, it suffices to compute 

' (0W ^d773 l(0|0> + <0|F|0>|2 ^( 1 + ^)- 



□ 



10 The analysis is very similar to one that was done in IVW11I , in a different context but for essentially the same 
problem. 
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